Chromium Code Reviews Chromium Code Reviews
Issue 422063004:
Certificate Transparency: Require SCTs for EV certificates. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "net/cert/cert_policy_enforcer.h" | |
| 6 | |
| 7 #include <string> | |
| 8 | |
| 9 #include "base/memory/scoped_ptr.h" | |
| 10 #include "net/base/test_data_directory.h" | |
| 11 #include "net/cert/ct_ev_whitelist.h" | |
| 12 #include "net/cert/ct_verify_result.h" | |
| 13 #include "net/cert/x509_certificate.h" | |
| 14 #include "net/test/cert_test_util.h" | |
| 15 #include "net/test/ct_test_util.h" | |
| 16 #include "testing/gmock/include/gmock/gmock.h" | |
| 17 #include "testing/gtest/include/gtest/gtest.h" | |
| 18 | |
| 19 namespace net { | |
| 20 | |
| 21 namespace { | |
| 22 | |
| 23 class MockEVCertsWhitelist : public ct::EVCertsWhitelist { | |
| 24 public: | |
| 25 MockEVCertsWhitelist(bool is_valid_return, bool contains_hash_return) { | |
| 26 EXPECT_CALL(*this, IsValid()).WillOnce(testing::Return(is_valid_return)); | |
| 27 if (is_valid_return) | |
| 28 EXPECT_CALL(*this, ContainsCertificateHash(testing::_)) | |
| 29 .WillOnce(testing::Return(contains_hash_return)); | |
|
Ryan Sleevi
2014/12/01 15:27:55
Right, I wanted to entirely avoid EXPECT_CALL, it'
| |
| 30 } | |
| 31 | |
| 32 MOCK_CONST_METHOD0(IsValid, bool()); | |
| 33 MOCK_CONST_METHOD1(ContainsCertificateHash, bool(const std::string&)); | |
| 34 | |
| 35 protected: | |
| 36 ~MockEVCertsWhitelist() override {} | |
| 37 }; | |
| 38 | |
| 39 class CertPolicyEnforcerTest : public ::testing::Test { | |
| 40 public: | |
| 41 virtual void SetUp() override { | |
| 42 policy_enforcer_.reset(new CertPolicyEnforcer(5, true)); | |
| 43 | |
| 44 std::string der_test_cert(ct::GetDerEncodedX509Cert()); | |
| 45 chain_ = X509Certificate::CreateFromBytes(der_test_cert.data(), | |
| 46 der_test_cert.size()); | |
| 47 ASSERT_TRUE(chain_.get()); | |
| 48 } | |
| 49 | |
| 50 void FillResultWithSCTsOfOrigin( | |
| 51 ct::SignedCertificateTimestamp::Origin desired_origin, | |
| 52 int num_scts, | |
| 53 ct::CTVerifyResult* result) { | |
| 54 for (int i = 0; i < num_scts; ++i) { | |
| 55 scoped_refptr<ct::SignedCertificateTimestamp> sct( | |
| 56 new ct::SignedCertificateTimestamp()); | |
| 57 sct->origin = desired_origin; | |
| 58 result->verified_scts.push_back(sct); | |
| 59 } | |
| 60 } | |
| 61 | |
| 62 protected: | |
| 63 scoped_ptr<CertPolicyEnforcer> policy_enforcer_; | |
| 64 scoped_refptr<X509Certificate> chain_; | |
| 65 }; | |
| 66 | |
| 67 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { | |
| 68 ct::CTVerifyResult result; | |
| 69 FillResultWithSCTsOfOrigin( | |
| 70 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result); | |
| 71 | |
| 72 EXPECT_TRUE( | |
| 73 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, result)); | |
| 74 } | |
| 75 | |
| 76 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { | |
| 77 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | |
| 78 ct::CTVerifyResult result; | |
| 79 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | |
| 80 &result); | |
| 81 | |
| 82 EXPECT_TRUE( | |
| 83 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, result)); | |
| 84 } | |
| 85 | |
| 86 TEST_F(CertPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { | |
| 87 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist = | |
| 88 new MockEVCertsWhitelist(true, false); | |
| 89 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | |
| 90 // However, as there are only two logs, two SCTs will be required - supply one | |
| 91 // to guarantee the test fails. | |
| 92 ct::CTVerifyResult result; | |
| 93 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | |
| 94 &result); | |
| 95 | |
| 96 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | |
| 97 chain_.get(), non_including_whitelist.get(), result)); | |
|
Ryan Sleevi
2014/12/01 15:27:55
did clang-format (aka "git cl format") do this? If
Eran Messeri
2014/12/01 17:29:54
I can only assume it did (I ran git-cl format).
| |
| 98 | |
| 99 // ... but should be OK if whitelisted. | |
| 100 scoped_refptr<ct::EVCertsWhitelist> whitelist = | |
| 101 new MockEVCertsWhitelist(true, true); | |
|
Ryan Sleevi
2014/12/01 15:27:55
Note dominant style in this file is to use ctor in
Eran Messeri
2014/12/01 17:29:54
Done.
| |
| 102 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | |
| 103 chain_.get(), whitelist.get(), result)); | |
| 104 } | |
| 105 | |
| 106 TEST_F(CertPolicyEnforcerTest, DoesNotEnforceCTPolicyIfNotRequired) { | |
| 107 scoped_ptr<CertPolicyEnforcer> enforcer(new CertPolicyEnforcer(3, false)); | |
| 108 | |
| 109 ct::CTVerifyResult result; | |
| 110 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | |
| 111 &result); | |
| 112 // Expect true despite the chain not having enough SCTs as the policy | |
| 113 // is not enforced. | |
| 114 EXPECT_TRUE(enforcer->DoesConformToCTEVPolicy(chain_.get(), nullptr, result)); | |
| 115 } | |
| 116 | |
| 117 TEST_F(CertPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) { | |
| 118 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( | |
| 119 "subject", "issuer", base::Time(), base::Time::Now())); | |
| 120 ct::CTVerifyResult result; | |
| 121 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | |
| 122 &result); | |
| 123 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | |
| 124 no_valid_dates_cert.get(), nullptr, result)); | |
| 125 // ... but should be OK if whitelisted. | |
| 126 scoped_refptr<ct::EVCertsWhitelist> whitelist = | |
| 127 new MockEVCertsWhitelist(true, true); | |
| 128 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | |
| 129 chain_.get(), whitelist.get(), result)); | |
| 130 } | |
| 131 | |
| 132 TEST_F(CertPolicyEnforcerTest, | |
| 133 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { | |
| 134 // Test multiple validity periods: Over 27 months, Over 15 months (but less | |
| 135 // than 27 months), | |
| 136 // Less than 15 months. | |
| 137 const size_t validity_period[] = {12, 19, 30, 50}; | |
| 138 const size_t needed_scts[] = {2, 3, 4, 5}; | |
| 139 | |
| 140 for (int i = 0; i < 3; ++i) { | |
| 141 size_t curr_validity = validity_period[i]; | |
| 142 scoped_refptr<X509Certificate> cert(new X509Certificate( | |
| 143 "subject", "issuer", base::Time::Now(), | |
| 144 base::Time::Now() + base::TimeDelta::FromDays(31 * curr_validity))); | |
| 145 size_t curr_required_scts = needed_scts[i]; | |
| 146 ct::CTVerifyResult result; | |
| 147 for (size_t j = 0; j < curr_required_scts - 1; ++j) { | |
| 148 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | |
| 149 1, &result); | |
| 150 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), | |
| 151 nullptr, result)) | |
| 152 << " for: " << curr_validity << " and " << curr_required_scts | |
| 153 << " scts=" << result.verified_scts.size() << " j=" << j; | |
| 154 } | |
| 155 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | |
| 156 &result); | |
| 157 EXPECT_TRUE( | |
| 158 policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), nullptr, result)); | |
| 159 } | |
| 160 } | |
| 161 | |
| 162 TEST_F(CertPolicyEnforcerTest, | |
| 163 ConformsToPolicyButDoesNotRequireMoreThanNumLogs) { | |
| 164 scoped_ptr<CertPolicyEnforcer> enforcer(new CertPolicyEnforcer(2, true)); | |
| 165 | |
| 166 ct::CTVerifyResult result; | |
| 167 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, | |
| 168 &result); | |
| 169 // Expect true despite the chain not having enough SCTs according to the | |
| 170 // policy | |
| 171 // since we only have 2 logs. | |
| 172 EXPECT_TRUE(enforcer->DoesConformToCTEVPolicy(chain_.get(), nullptr, result)); | |
| 173 } | |
| 174 | |
| 175 TEST_F(CertPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { | |
| 176 scoped_refptr<ct::EVCertsWhitelist> whitelist = | |
| 177 new MockEVCertsWhitelist(true, true); | |
| 178 | |
| 179 ct::CTVerifyResult result; | |
| 180 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | |
| 181 &result); | |
| 182 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | |
| 183 chain_.get(), whitelist.get(), result)); | |
| 184 } | |
| 185 | |
| 186 TEST_F(CertPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { | |
| 187 scoped_refptr<ct::EVCertsWhitelist> whitelist = | |
| 188 new MockEVCertsWhitelist(false, true); | |
| 189 | |
| 190 ct::CTVerifyResult result; | |
| 191 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | |
| 192 &result); | |
| 193 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | |
| 194 chain_.get(), whitelist.get(), result)); | |
| 195 } | |
| 196 | |
| 197 TEST_F(CertPolicyEnforcerTest, IgnoresNullEVWhitelist) { | |
| 198 ct::CTVerifyResult result; | |
| 199 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | |
| 200 &result); | |
| 201 EXPECT_FALSE( | |
| 202 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, result)); | |
| 203 } | |
| 204 | |
| 205 } // namespace | |
| 206 | |
| 207 } // namespace net | |
| OLD | NEW |
